Support

Admin Tools

#15205 Administrator secret URL parameter

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 27 February 2013 11:06 CST

Wednesday, 27 February 2013 08:06 CST

user71798

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (2.5.9)
PHP version: (5.3.15)
MySQL version: (unknown)
Host: (Arvixe)
Admin Tools version: (2.5.1)

Description of my issue:

I have the Administrator secret URL parameter set but last night I got 2 security exception emails for Login failures that were not from any admins on the site.

My question is if I have set the secret url parameter and I still get the login failures as aposed to Admin Querys, would mean that mean someone has bypassed this feature or has figured out the parameter?

I'm curious if I need to reset the parameter or if this is normal.

Thanks.

K.

Wednesday, 27 February 2013 08:12 CST

nicholas

Please check the following:

  • The System - Admin Tools plugin is published
  • The System - Admin Tools plugin has its Access set to Public (blank, Guest or anything else won't do)
  • The IPs of the people triggering the login error are not in the adminstrator IP whitelist or in any other fields in the Configure WAF page

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 27 February 2013 09:20 CST

user71798

I've attached screen grabs.

In response, all of your suggestions are how my Admin Tools is already configured.

Wednesday, 27 February 2013 09:29 CST

nicholas

What is the URL of your site? I'd like to give it a go and see if I get blocked.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 27 February 2013 10:09 CST

user71798

Here is my url.

(Support staff edit: redacted per user's request)

Since my last post I configured the Auto-ban feature.  I've included an attachment of the fields as a screen grab.

 

Edited by nicholas on 2013-02-27 11:06 CST

Wednesday, 27 February 2013 10:32 CST

nicholas

OK, test successful. That joker from Greece you see that just got banned? Well, that was me :)

So, I guess it's time to change your secret URL parameter. The last one may have been compromised.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 27 February 2013 10:46 CST

user71798

I just tested something.  Even though I have the Secret Parmeter set, it is being ignored.

Try going to the admin section.  Even though you don't have the parameter, it will let you right in.

 

K.

Wednesday, 27 February 2013 10:48 CST

user71798

I just removed your IP from the being banned

 

K.

Wednesday, 27 February 2013 10:54 CST

nicholas

Your IP is in the "Never block these IPs" list. The corollary is that you get a free pass whenever accessing your site with an IP in this list (or any whitelisted IP): Admin Tools does not apply any protection measures against your request because it comes from a "trusted IP".

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 27 February 2013 11:01 CST

user71798

That explains it.  If possible can you edit my url out of this string of posts.

Thanks,

K.

Wednesday, 27 February 2013 11:06 CST

nicholas

You're welcome! The URL was redacted per your request.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!